Security Corner

Well, maybe. At least that’s what Steve Gibson said in Episode 302 of the Security Now! podcast:

Nothing I’ve ever said about passwords is right. I mean, nothing everyone – anyone thinks. I have got some news. I know it sounds like I’ve lost my mind. But I think I can – I’m working on a new page now which is going to lay it all out and explain it and give people something to play with so they can test passwords using this new scheme. And when you hear it, you’re going to go, oh, my god. Why didn’t anyone ever think about this before?

If nothing anyone thinks about passwords is right, then I must be wrong, too, right?

Steve has been playing with a passcode designer under the premise “Maximal Entroypy, Minimal Length, Maximal Strength.” He says that in the process of working on this, he realized that our concepts of passwords are wrong and he has stamped the page with “obsolete.” He promises to reveal all in Security Now! Episode 303 this week. At the bottom of his passcode designer page, he posts a “post mortem.” Here’s an excerpt:

The Passcode Designer is based upon the concept of generating maximal-entropy, maximal-strength, and minimal-length passcodes by encouraging a high number of “transitions” between the four character “classes” where the classes were the uppercase alphabetic (A-Z), lowercase alphabetic (a-z), the ten digits (0-9) and the 33 printable special symbol characters (!\”#$%&'()*+,-./:;<=>?@[\\]^_`{|}~). The interactive graphical JavaScript-driven state machine at the top of this page was the beginning of the development of that concept. (It is fully functional, finished, and works as intended.)

But after reaching this point, by creating what I thought was right, I realized what was wrong with that approach. What I never expected was what happened next: Unlikely as this sounds, I realized that we (the entire computer industry) have always been thinking about maximum-strength attack-resistant passwords in the wrong way. I realized that the creation of high-entropy passwords was not only often the wrong goal, but was typically counter-productive.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your reply...

There was an error processing your information. Please try again later.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your reply...

About This Blog

Ken "The Geek" Harthun takes the mystery out of computer security. You’ll find valuable advice, tips, and news on how to keep your PCs, network, and data safe from attack by crackers and cybercriminals.